Gibson Dunn | Europe | Data Protection – September 2024
Client Alert | October 9, 2024
Europe
09/26/2024
Court of Justice of the European Union | Judgment | Corrective Powers
On September 26, 2024, the Court of Justice of the European Union (“CJEU”) published its judgment in Case C-768/21 regarding the corrective powers of the Supervisory Authorities under the GDPR.
The CJEU noted that, when a personal data breach is established, the Supervisory Authority is not obliged to exercise a corrective power in all cases, in particular if a fine does not seem necessary to remedy the breach found and ensure the enforcement of the GDPR. The Court also stated that this could be the case when, as soon as the controller became aware of the breach, it took the necessary measures to ensure that that breach was resolved and did not recur.
For more information: CJEU Press release, Curia
09/12/2024
European Commission | Public Consultation | Standard Contractual Clauses
The European Commission announced that it plans to request public feedback on a draft of Standard Contractual Clauses (“SCCs”) under the GDPR in the fourth quarter of 2024.
The European Commission specified that these SCCs are relevant in the specific case where a data importer is located in a third country but is directly subject to the GDPR. They would complement the existing clauses related to data transfers to third country importers not subject to the GDPR.
For more information: European Commission Website
09/12/2024
Court of Justice of the European Union | Judgment | Lawful Basis
On September 12, 2024, the Court of Justice of the European Union (“CJEU”) published its judgment in the Joined Cases C-17/22 and C-18/22 regarding the lawfulness of processing relying on the performance of a contract.
The performance of a contract is a lawful basis within the meaning of the GDPR that justifies processing of personal data necessary for its performance. The CJEU outlined that when a contract expressly prohibits the disclosure of personal data, it cannot be considered that such disclosure is objectively indispensable for its performance.
For more information: Curia
09/12/2024
European Data Protection Board | Call for Expression of Interest | Consent or Pay
On September 12, 2024, the European Data Protection Board (“EDPB”) announced that it launched a call for expression of interest for a remote stakeholder event on November 18, 2024, to collect stakeholders’ input on upcoming guidelines on the application of data protection legislation in the context of “Consent or Pay” models.
The guidelines will be a continuation of the EDPB Opinion 08/2024, which addressed the “Consent or Pay” model in the context of large online platforms. These guidelines will have a broader scope of application.
For more information: EDPB Website
Austria
09/03/2024
Austrian Supervisory Authority | Accreditation | GDPR Certification Body
On September 3, 2024, the Austrian Supervisory Authority (“DSB”) announced the accreditation of the first GDPR certification body in Austria.
In addition, certification criteria under Art. 42(5) GDPR have been approved, allowing certification bodies to issue certifications based on these standards. Similar to codes of conduct, certifications serve as a compliance tool. Controllers can now be certified under these criteria.
For more information: DSB Website [DE]
Belgium
09/19/2024
Belgium Supervisory Authority | Guidelines | AI
The Belgium Supervisory Authority (“APD”) introduced a section on its website focusing on artificial intelligence and published new guidelines clarifying the interplay between the GDPR requirements and AI Systems in light of the newly adopted AI Act.
This initiative aims to enhance understanding and promote responsible AI practices. The brochure identifies the GDPR requirement specifically applicable to AI Systems (e.g., lawfulness of processing, transparency).
For more information: APD Website [NL], Guidelines [EN]
09/06/2024
Belgian Supervisory Authority | Reject | Non-profit Organization Mandate
On September 6, 2024, the Belgian Supervisory Authority (“APD”) published a decision rejecting the validity of the representation mandate submitted by a non-profit organization, deeming it an abuse of rights of the latter.
For more information: APD Website [NL]
France
09/24/2024
French Supervisory Authority | Recommendation | Mobile applications
On September 24, 2024, the French Supervisory Authority (“CNIL”) published its recommendations on mobile applications.
Following a public consultation initiated in July 2023, these recommendations aim to (1) clarify the role and obligations of each stakeholder in the mobile ecosystem, (2) improve user information on the use of their data, and (3) reiterate that applications must obtain valid consent to process data that is not necessary for their operation.
For more information: CNIL Website
09/05/2024
French Supervisory Authority | Sanction | Anonymization and Pseudonymization
On September 5, 2024, the French Supervisory Authority (“CNIL”) imposed a fine of €800,000 on a software provider.
The investigation carried out by the CNIL showed that the provider processed, without authorization, health data which was provided to its clients for studies and statistics purposes. The CNIL found that the data was pseudonymized, not anonymized, as it included detailed personal data linked to unique patient identifiers, allowing potential reidentification. Consequently, the CNIL considered that the data processed by the provider did not meet the anonymization criteria.
For more information: CNIL Website [FR]
Germany
09/25/2024
Thuringia Supervisory Authority | Annual Report 2023
The Thuringia Supervisory Authority (“TLfDI”) has issued its Annual Report on its activities in 2023.
The TLfDI reports, among others, the initiation of 115 fine proceedings, which is slightly more than in the precedent year.
For more information: TLfDI Website [DE]
09/17/2024
Berlin Supervisory Authority | Annual Report 2023
The Berlin Supervisory Authority (“BlnBDI”) has issued its Annual Report on its activities in 2023.
In 2023, the BlnBDI has, among others, developed a standard process for a data protection-compliant implementation of digitization projects by Berlin authorities.
For more information: BlnBDI Website [DE]
09/15/2024
German Government | Announcement | AI Regulation
The Federal Ministry for Economic Affairs and Climate Action announced that the Federal Network Agency will take the lead in overseeing the AI Act. However, the data protection authorities will remain involved in the process.
The Federal Network Agency’s experience in product safety, rather than data protection, made it the government’s choice. While the AI oversight is aimed at reducing bureaucracy, the involvement of data protection authorities ensures that compliance with privacy regulations remains a priority.
For more information: Ministry’s Announcement [DE]
09/11/2024
German Data Protection Conference | Position Paper | Scientific Research
The German Data Protection Conference (“DSK”) issued a position paper on the GDPR’s special regime on data processing for scientific research purposes (Article 89).
The DSK established five criteria that must be fulfilled in order to fall under the special regime regarding data processing for scientific research purposes. These include requirements regarding knowledge gain, a methodical and systematic approach, public interest, verifiability and independence and autonomous research. Such regime allows for changes in processing purposes, handling of sensitive data, limited information obligations, and suspension of data deletion.
For more information: DSK Website [DE]
09/11/2024
German Data Protection Conference | Guidance | Data Transfers & Asset Deals
On September 11, 2024, the German Data Protection Conference (“DSK”) updated its guidance on data transfers in the context of asset deals.
The DSK clarified that the transfer of personal data in the context of an asset deal requires a detailed legal assessment. While data transfers during a share deal are less problematic, asset deals demand careful consideration of data protection laws, with voluntary consent or legitimate interests often needed to justify the transfer. For example, when transferring personal data during an asset deal, it is important to distinguish between active business relationships and completed ones. Data from ongoing relationships can usually be transferred under certain legal grounds, while completed relationships may require customer consent or an objection process to ensure compliance with data protection regulations.
For more information: DSK Website [DE]
09/04/2024
Federal Ministry for Digital and Transport | Ordinance | Cookie banners | Consent
The Federal Government adopted an Ordinance on Consent Management Services presented by the Federal Ministry for Digital and Transport.
This Ordinance, adopted under Section 26(2) of the Telecommunications-Digital-Services-Data Protection Act (“TDDDG”), sets out requirements relating to the use of cookie banners and the provision of user consent, and in particular provides an alternative to “cookie banners”.
For more information: BMDV Website [DE]
Ireland
09/12/2024
Irish Supervisory Authority | Inquiry | AI | Data Protection Impact Assessment
On September 12, 2024, the Irish Supervisory Authority (“DPC”) announced that it launched an inquiry into an AI model.
The Cross-Border statutory inquiry concerns the question of whether the company who developed the AI model has complied with its obligation, provided under Article 35 of the GDPR to undertake a data protection impact assessment, prior to processing personal data of EU data subjects in connection with the development of its AI model.
For more information: DPC Website
09/04/2024
Irish Supervisory Authority | Proceedings | AI
On September 4, 2024, the Irish Supervisory Authority (“DPC”) announced the conclusion of the proceedings relating to an AI tool brought before the Irish High Court on August 8, 2024.
The matter was resolved after the company agreed to comply with DPC’s terms on a permanent basis. This action, the first of its kind initiated by the DPC, was initially made considering the serious concerns that the processing of personal data of EU individuals for the purpose of AI training raised a risk to their fundamental rights and freedoms. On the same day, the DPC requested to the European Data Protection Board an opinion on certain core issues arising in the context of processing for the purpose of developing and training an AI model.
For more information: DPC Website
Netherlands
09/05/2024
Dutch Supervisory Authority | Guidance | Data Breach Notification
The Dutch Supervisory Authority (“AP”) published a report analyzing more than 50 notifications sent to data subjects following the largest data breaches in 2023, along with a set of recommendations.
The AP explains that the notifications were not sent in a timely manner (three weeks on average), lacked clarity and details on the breach, as well as alarming subject lines. The AP further describes the challenges encountered by organizations while informing data subjects, which include efforts to avoid technical language, and the time needed for the message to be approved internally. Finally, the AP provides recommendations with sample messages to guide the organizations.
For more information: AP Website [NL]
09/03/2024
Dutch Supervisory Authority | Sanction | Unlawful Database
The Dutch Supervisory Authority (“AP”) fined a company €30.5 million for unlawfully creating a facial recognition database and warned Dutch organizations not to use the company’s services.
The AP found that the company had processed biometric data without being able to rely on one of the exceptions provided by the GDPR. In addition, the company insufficiently informed data subjects on the processing of their personal data and failed to respond to their access requests. Finally, the AP noted that the company did not designate a representative in the EU. In addition to the €30.5 million fine, the AP imposed four orders to end ongoing violations, subject to a €5.1 million penalty in case of non-compliance.
For more information: AP Website [NL], EDPB Website
Poland
09/20/2024
Polish Supervisory Authority | Guidance | Data Breach
The Polish Supervisory Authority (“UODO”) issued guidance for controllers on personal data breaches caused by the recent floods in southern Poland.
The UODO recalls that the 72-hour period for notifying data breaches starts from the moment of their discovery. It clarifies that, under the current circumstances, this may only be possible once the situation is under control. In addition, in case where controllers are unable to meet the deadline, the authority recommends justifying the delay by referring to extraordinary circumstances related to the flood.
For more information: UODO Website [PL]
09/09/2024
Polish Supervisory Authority | Sanction | Breach notification
The Polish Supervisory Authority (“UODO”) published its decision of August 20, 2024, imposing a fine of PLN 4,053,173 (approx. € 948,158) on a bank for failing to notify a data breach to its customers.
The UODO noted that an employee of the bank sent by mistake customers’ documents to another financial institution. The customers were not notified of this data breach despite the fact that the UODO had informed the bank of the necessity to carry out such a notification. The bank argued that the recipient of the documents was subject to banking secrecy and data subjects’ notification was therefore not necessary. The authority rejected this argument, stressing that it could not exempt the bank from compliance with its obligations.
For more information: UODO Website [PL]
Spain
09/02/2024
Spanish Supervisory Authority | Blog Post | Probabilistic Methods
The Spanish Supervisory Authority (“AEPD”) published a blog post on probabilistic methods and GDPR compliance.
The AEPD underlines that probabilistic or estimative methods are widely used in digital services and allow machine learning and artificial intelligence models to learn, improve and adapt to changing patterns. The authority states that the use of such methods raises questions regarding the principle of accuracy, as they may lead to false negatives, false positives or prediction errors. It emphasizes that the controllers should consider error thresholds and, on a case-by-case basis, alternative or complementary methods.
For more information: AEPD Website
United Kingdom
09/20/2024
UK Supervisory Authority | Statement | Generative Artificial Intelligence
The UK Supervisory Authority (“ICO”) issued a statement welcoming the suspension by a company of its processing of UK users’ personal data to train its generative AI models, pending further engagement with the ICO.
The ICO also stated that it will continue to monitor major developers of generative AI to ensure that the safeguards are in place and the rights of UK users are protected.
For more information: ICO Website
09/10/2024
UK Supervisory Authority and NCA | Memorandum of Understanding | Cyber Security
The UK Supervisory Authority (“ICO”) and the National Crime Agency (“NCA”) signed a Memorandum of Understanding that sets out their cooperation to improve the UK’s cyber resilience.
The aim is to ensure that organizations can better protect themselves from their data being stolen and held for ransom.
For more information: ICO Website
09/09/2024
UK Parliament | Bill | Automated Decision-Making
The “Public Authority Algorithmic and Automated Decision-Making Systems” Bill was introduced and passed the first reading in the House of Lords.
The Bill aims to regulate the use of automated and algorithmic tools by public authorities as part of their decision-making systems. It requires public authorities to conduct an impact assessment of such systems and introduces standards to ensure transparency.
For more information: UK Parliament Website
09/05/2024
UK Supervisory Authority | Study | Data Collection
The UK Supervisory Authority (“ICO”) released the results of its “Data Controller Study”.
The study has been carried out in order to have a deeper understanding on how organizations collect and use personal data and to inform the ICO’s strategic, regulatory and research activities. The results include both quantitative and qualitative data related to, in particular, the demographic characteristics and processing activities of controllers, the technology used by them, and the level of awareness of data protection law and the ICO.
For more information: ICO Website
Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])
Joel Harrison – Partner, Co-Chair, PCDI Practice, London ([email protected])
Vera Lukic – Partner, Paris ([email protected])
Lore Leitner – Partner, London ([email protected])
Kai Gesing – Partner, Munich ([email protected])
Clémence Pugnet – Associate, Paris ([email protected])
Thomas Baculard – Associate, Paris ([email protected])
Hermine Hubert – Associate, Paris ([email protected])
Billur Cinar – Associate, Paris ([email protected])
Christoph Jacob – Associate, Munich ([email protected])
Yannick Oberacker – Associate, Munich ([email protected])
Sarah Villani – Associate, London ([email protected])
Miles Lynn – Associate, London ([email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.